Independent Submission                                      A. Keromytis
Request for Comments: 5708                           Columbia University
Category: Informational                                     January 2010
ISSN: 2070-1721
        
Independent Submission                                      A. Keromytis
Request for Comments: 5708                           Columbia University
Category: Informational                                     January 2010
ISSN: 2070-1721
        

X.509 Key and Signature Encoding for the KeyNote Trust Management System

KeyNote信任管理系统的X.509密钥和签名编码

Abstract

摘要

This memo describes X.509 key identifiers and signature encoding for version 2 of the KeyNote trust-management system (RFC 2704). X.509 certificates (RFC 5280) can be directly used in the Authorizer or Licensees field (or in both fields) in a KeyNote assertion, allowing for easy integration with protocols that already use X.509 certificates for authentication.

本备忘录描述了KeyNote信任管理系统(RFC 2704)版本2的X.509密钥标识符和签名编码。X.509证书(RFC 5280)可直接用于KeyNote断言中的“授权人”或“被许可人”字段(或两个字段),允许与已使用X.509证书进行身份验证的协议轻松集成。

In addition, the document defines additional signature types that use other hash functions (beyond the MD5 and SHA1 hash functions that are defined in RFC 2792).

此外,该文档还定义了使用其他哈希函数的其他签名类型(RFC 2792中定义的MD5和SHA1哈希函数除外)。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5708.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5708.

Copyright Notice

版权公告

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定(http:truster.IETF.org/license info)的约束,这些法律规定在本文件出版之日生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

1. Introduction
1. 介绍

KeyNote is a simple and flexible trust-management system designed to work well for a variety of large- and small-scale, Internet-based applications. It provides a single, unified language for both local policies and credentials. KeyNote policies and credentials, called 'assertions', contain predicates that describe the trusted actions permitted by the holders of specific public keys. KeyNote assertions are essentially small, highly structured programs. A signed assertion, which can be sent over an untrusted network, is also called a 'credential assertion'. Credential assertions, which also serve the role of certificates, have the same syntax as policy assertions but are also signed by the principal delegating the trust. Note that only one principal may sign a credential assertion, but trust may be delegated to multiple principals. The credential assertion may delegate trust to each of these principals separately or to groups of principals required to act together. For more details on KeyNote, see [KEYNOTE]. This document assumes reader familiarity with the KeyNote system.

KeyNote是一个简单而灵活的信任管理系统,设计用于各种大型和小型的基于Internet的应用程序。它为本地策略和凭据提供了一种统一的语言。KeyNote策略和凭据(称为“断言”)包含描述特定公钥持有者允许的可信操作的谓词。基调断言本质上是小型的、高度结构化的程序。可以通过不受信任的网络发送的签名断言也称为“凭证断言”。凭证断言也充当证书的角色,其语法与策略断言相同,但也由委托信任的主体签名。请注意,只有一个主体可以签署凭证断言,但信任可以委托给多个主体。凭证断言可以将信任分别委托给这些主体中的每一个,或者委托给需要共同行动的主体组。有关注释记号的详细信息,请参见[KeyNote]。本文档假定读者熟悉注释记号系统。

Cryptographic keys may be used in KeyNote to identify principals. To facilitate interoperation between different implementations and to allow for maximal flexibility, keys must be converted to a normalized canonical form (dependent on the public key algorithm used) for the purposes of any internal comparisons between keys. For example, an RSA key may be encoded in base64 [RFC4648] ASCII in one credential and in hexadecimal ASCII in another. A KeyNote implementation must internally convert the two encodings to a normalized form that allows for comparison between them. Furthermore, the internal structure of an encoded key must be known for an implementation to correctly decode it. [RFC2792] describes the RSA and DSA (Digital Signature Algorithm) key identifier and signature encodings for use in KeyNote assertions. This document specifies a new key identifier, allowing X.509 certificates [RFC5280] to be used as a key substitute wherever an RSA or DSA key may be used in KeyNote. Specifically, KeyNote will use the key associated with the subject of an X.509 certificate. In addition, this document defines a corresponding signature encoding, to be used in conjunction with X.509 key identifiers. Finally, this document defines new signature encodings that use new hash functions beyond the MD5 and SHA1 functions defined in RFC 2792, and which in recent years have been found to be vulnerable to attack.

可以在KeyNote中使用加密密钥来标识主体。为了促进不同实现之间的互操作并允许最大的灵活性,必须将密钥转换为规范化规范形式(取决于所使用的公钥算法),以便在密钥之间进行任何内部比较。例如,RSA密钥可以在一个凭证中以base64[RFC4648]ASCII编码,在另一个凭证中以十六进制ASCII编码。注释记号实现必须在内部将这两种编码转换为规范化形式,以便在它们之间进行比较。此外,编码密钥的内部结构必须是已知的,以便实现对其进行正确解码。[RFC2792]描述了用于注释记号断言的RSA和DSA(数字签名算法)密钥标识符和签名编码。本文档指定了一个新的密钥标识符,允许在KeyNote中可能使用RSA或DSA密钥的地方使用X.509证书[RFC5280]作为密钥替代。特别是,KeyNote将使用与X.509证书主题相关联的密钥。此外,本文件定义了相应的签名编码,与X.509密钥标识符一起使用。最后,本文档定义了新的签名编码,这些编码使用RFC 2792中定义的MD5和SHA1函数之外的新哈希函数,近年来发现这些函数容易受到攻击。

1.1. Conventions
1.1. 习俗

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。

2. X.509 Key Identifier Encoding
2. X.509密钥标识符编码

X.509 key identifiers in KeyNote are encoded as an ASN1 Distinguished Encoding Rules (DER) encoding of the whole X.509 certificate, as defined in Section 4 of [RFC5280].

KeyNote中的X.509密钥标识符编码为整个X.509证书的ASN1可分辨编码规则(DER)编码,如[RFC5280]第4节所定义。

For use in KeyNote credentials, the ASN1 DER-encoded object is then ASCII-encoded (e.g., as a string of hex digits or base64 characters).

为了在注释记号凭证中使用,ASN1 DER编码的对象随后被ASCII编码(例如,作为十六进制数字或base64字符的字符串)。

X.509 keys encoded in this way in KeyNote must be identified by the "x509-XXX:" algorithm name, where XXX is an ASCII encoding ("hex" or "base64"). Other ASCII encoding schemes may be defined in the future.

在KeyNote中以这种方式编码的X.509密钥必须由“x509 XXX:”算法名称标识,其中XXX是ASCII编码(“十六进制”或“base64”)。将来可能会定义其他ASCII编码方案。

3. X.509 Key Identifier Normalized Forms
3. X.509键标识符规范化表单

For comparison purposes, the Subject public key in X.509 certificates is used in the normalized form described in Section 2 of [RFC2792]. The resulting RSA or DSA key is then used for comparing, per [RFC2792]. All X.509 key comparisons in KeyNote occur between normalized forms. Note that this allows for comparison between a directly encoded RSA or DSA key (as specified in RFC 2792) and the same key when contained in an X.509 certificate.

出于比较目的,X.509证书中的主题公钥以[RFC2792]第2节所述的规范化形式使用。然后根据[RFC2792],使用生成的RSA或DSA密钥进行比较。注释记号中的所有X.509键比较都发生在规范化窗体之间。请注意,这允许在直接编码的RSA或DSA密钥(如RFC 2792中所指定)与包含在X.509证书中的相同密钥之间进行比较。

4. X.509 Signature Computation and Encoding
4. X.509签名计算和编码

X.509 key identifier signatures are defined for historical reasons. Implementers are encouraged to use the RSA- or DSA-based signature encodings instead.

X.509由于历史原因定义了密钥标识符签名。建议实现者改用基于RSA或DSA的签名编码。

X.509 key identifier signatures in KeyNote are identical to RSA- or DSA-based signatures [RFC2792]. The only difference is that the public key corresponding to the private key that generated the signatures is encoded in an X.509 certificate in the Authorizer field of the signed credential assertion. However, an RSA- or DSA-based signature encoding (depending on the Subject key contained in the X.509 certificate itself) may be used instead.

KeyNote中的X.509密钥标识符签名与基于RSA或DSA的签名相同[RFC2792]。唯一的区别是,与生成签名的私钥相对应的公钥编码在签名凭证断言的Authorizer字段中的X.509证书中。但是,可以使用基于RSA或DSA的签名编码(取决于X.509证书本身中包含的主题密钥)。

X.509 key identifier signatures in KeyNote are computed over the assertion body (starting from the beginning of the first keyword, up to and including the newline character immediately before the "Signature:" keyword) and the signature algorithm name (including the trailing colon character, e.g., "sig-x509-sha512-base64:")

KeyNote中的X.509密钥标识符签名是在断言正文(从第一个关键字的开头开始,直到并包括紧靠“Signature:”关键字之前的换行符)和签名算法名称(包括尾随冒号字符,例如“sig-x509-sha512-base64:”)上计算的

X.509 key identifier signatures are encoded as an ASN1 OCTET STRING object, containing the signature value.

X.509密钥标识符签名编码为ASN1八位字符串对象,包含签名值。

For use in KeyNote credentials, the ASN1 OCTET STRING is then ASCII-encoded (as a string of hex digits or base64 characters).

为了在注释记号凭据中使用,ASN1八位字节字符串随后被ASCII编码(作为十六进制数字或base64字符的字符串)。

X.509 key identifier signatures encoded in this way in KeyNote must be identified by the "sig-x509-XXX-YYY:" algorithm name, where XXX is a hash function name (see Section 5 and Section 7 of this document) and YYY is an ASCII encoding ("hex" or "base64").

X.509在KeyNote中以这种方式编码的密钥标识符签名必须由“sig-x509-XXX-YYY:”算法名称标识,其中XXX是散列函数名称(见本文件第5节和第7节),YYY是ASCII编码(“十六进制”或“base64”)。

5. Hash Functions For RSA, DSA, and X.509 Key Identifier Signatures
5. RSA、DSA和X.509密钥标识符签名的哈希函数

For historical reasons (backward compatibility), X.509 key identifier signatures SHOULD support SHA1 as the hash function, using the "sha1" keyword. In addition, SHA256, SHA512, and RIPEMD160 ([SHA256+], [SHA2-2], [RIPEMD-160]) signatures MUST be supported for use with X.509 key identifier signatures, by using the "sha256", "sha512", and "ripemd160" keywords, respectively (see Section 7).

出于历史原因(向后兼容性),X.509密钥标识符签名应支持使用“SHA1”关键字将SHA1作为哈希函数。此外,分别使用“SHA256”、“SHA512”和“RIPEMD160”关键字,必须支持SHA256、SHA512和RIPEMD160([SHA256+]、[SHA2-2]、[RIPEMD-160])签名与X.509密钥标识符签名一起使用(见第7节)。

In addition, SHA256, SHA512, and RIPEMD160 signature identifiers are defined for RSA signatures, using the "sha256", "sha512", and "ripemd160" keywords, respectively (see Section 7).

此外,分别使用“SHA256”、“SHA512”和“RIPEMD160”关键字为RSA签名定义SHA256、SHA512和RIPEMD160签名标识符(参见第7节)。

6. Security Considerations
6. 安全考虑

This document discusses the format of X.509 keys and signatures as used in KeyNote. The security of KeyNote credentials utilizing such keys and credentials is directly dependent on the strength of the related public key algorithms. On the security of KeyNote itself, see [KEYNOTE]. Furthermore, it is the responsibility of the application developer to ensure that X.509 certificates are valid (signed by a trusted authority, not expired, and not revoked).

本文档讨论KeyNote中使用的X.509键和签名的格式。使用此类密钥和凭据的KeyNote凭据的安全性直接取决于相关公钥算法的强度。关于KeyNote本身的安全性,请参见[KeyNote]。此外,应用程序开发人员有责任确保X.509证书有效(由受信任的机构签署、未过期和未撤销)。

The use of SHA1 as part of signatures and key identifiers is discouraged, because of the various weaknesses in the algorithm that have been identified in recent years.

不鼓励将SHA1用作签名和密钥标识符的一部分,因为近年来发现的算法中存在各种弱点。

7. IANA Considerations
7. IANA考虑

Per [RFC2792], IANA has provided a registry of reserved algorithm identifiers. The following are reserved by this document as KeyNote public key format identifiers:

根据[RFC2792],IANA提供了保留算法标识符的注册表。本文档保留以下内容作为注释记号公钥格式标识符:

- "x509-hex" - "x509-base64"

- “x509十六进制”-“x509-base64”

The following are reserved by this document as KeyNote signature algorithm identifiers:

本文件保留以下内容作为注释记号签名算法标识符:

- "sig-x509-sha1-hex" - "sig-x509-sha1-base64" - "sig-x509-sha256-hex" - "sig-x509-sha256-base64" - "sig-x509-sha512-hex" - "sig-x509-sha512-base64" - "sig-x509-ripemd160-hex" - "sig-x509-ripemd160-base64" - "sig-rsa-sha256-hex" - "sig-rsa-sha256-base64" - "sig-rsa-sha512-hex" - "sig-rsa-sha512-base64" - "sig-rsa-ripemd160-hex" - "sig-rsa-ripemd160-base64"

- “sig-x509-sha1-hex”——“sig-x509-sha1-base64”——“sig-x509-sha256-base64”——“sig-x509-sha512-hex”——“sig-x509-sha512-base64”——“sig-x509-ripemd160-base64”——“sig-rsa-sha256-hex”——“sig-rsa-SHA556-base64”——“sig-rsa-sha512-hex”——“sig-rsa-ripemd160-ripemd160-RIPD160-hex”——“sig-rsa-RIPD160”“sig-rsa-ripemd160-base64”

Note that the double quotes are not part of the algorithm identifiers.

请注意,双引号不是算法标识符的一部分。

8. References
8. 工具书类
8.1. Normative References
8.1. 规范性引用文件

[SHA256+] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms (SHA and HMAC-SHA)", RFC 4634, July 2006.

[SHA256+]Eastlake 3rd,D.和T.Hansen,“美国安全哈希算法(SHA和HMAC-SHA)”,RFC 46342006年7月。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008.

[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 52802008年5月。

8.2. Informative References
8.2. 资料性引用

[KEYNOTE] Blaze, M., Feigenbaum, J., Ioannidis, J., and A. Keromytis, "The KeyNote Trust-Management System Version 2", RFC 2704, September 1999.

[KEYNOTE]Blaze,M.,Feigenbaum,J.,Ioannidis,J.,和A.Keromytis,“KEYNOTE信托管理系统版本2”,RFC 27042099年9月。

[RFC2792] Blaze, M., Ioannidis, J., and A. Keromytis, "DSA and RSA Key and Signature Encoding for the KeyNote Trust Management System", RFC 2792, March 2000.

[RFC2792]Blaze,M.,Ioannidis,J.,和A.Keromytis,“KeyNote信任管理系统的DSA和RSA密钥和签名编码”,RFC 2792,2000年3月。

[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, October 2006.

[RFC4648]Josefsson,S.,“Base16、Base32和Base64数据编码”,RFC4648,2006年10月。

[RIPEMD-160] 3.ISO/IEC 10118-3:1998, "Information technology - Security techniques - Hash-functions - Part 3: Dedicated hash-functions," International Organization for Standardization, Geneva, Switzerland, 1998.

[RIPEMD-160]3.ISO/IEC 10118-3:1998,“信息技术-安全技术-哈希函数-第3部分:专用哈希函数”,国际标准化组织,瑞士日内瓦,1998年。

[SHA2-2] NIST, "Descriptions of SHA-256, SHA-384, and SHA-512", May 2001, <http://csrc.nist.gov/publications/fips/ fips180-3/fips180-3_final.pdf>.

[SHA2-2]NIST,“SHA-256、SHA-384和SHA-512的说明”,2001年5月<http://csrc.nist.gov/publications/fips/ fips180-3/fips180-3_final.pdf>。

9. Acknowledgements
9. 致谢

The author would like to thank Jim Schaad for his review and comments on earlier versions of this document.

作者要感谢Jim Schaad对本文件早期版本的审查和评论。

Author's Address

作者地址

Angelos D. Keromytis Department of Computer Science Columbia University Mail Code 0401 1214 Amsterdam Avenue New York, New York 1007 USA

Angelos D.Keromytis哥伦比亚大学计算机科学系邮件代码0401 1214美国纽约州纽约市阿姆斯特丹大道1007

   EMail: angelos@cs.columbia.edu
        
   EMail: angelos@cs.columbia.edu